Queries related to RPZ

[Tony Finch]

Blason R <blason16 at gmail.com> wrote:
>
> I am building DNS RPZ and I am complete no-vice. I will be having around
> 10-20k zones which my DNS will be wallgardening.
>
> Just wondering how this can be done with DNZ RPZ? Since the zones has to be
> included in named.conf.

It sounds to me like you are getting muddled up between the old pre-RPZ
way of blocking domains, and the way to do it with RPZ.

The old way was to configure a local authoritative zone which would catch
queries for a domain that you wanted to block - if you wanted tens of
thousands of blocks you needed tens of thousands of local zones. Not much
fun.

The RPZ way only requires one zone, and each blocked domain is an entry in
that zone. A zone with tens of thousands of records is easy.

So, for example, my named.conf includes:

# ...
	response-policy {
		zone "test.rpz.dotat.at";
	}
		break-dnssec yes
		max-policy-ttl 5m
		qname-wait-recurse no
	;
# ...
zone test.rpz.dotat.at {
        type master;
        file "zone/test.rpz.dotat.at";
        masterfile-format raw;
        update-policy local;
};
# ...

And in the zone file:

$ORIGIN test.rpz.dotat.at.
$TTL 3600
@			IN SOA  grey.dotat.at. dot.dotat.at. (
                                69 3600 3600 604800 3600 )
                        NS      grey.dotat.at.
badguy.com		CNAME	.
*.badguy.com		CNAME	.
pills.biz		CNAME	.
*.pills.biz		CNAME	.
; more blocked domains...

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
partnership and community in all areas of life